Cryptography-Digest Digest #217, Volume #13 Fri, 24 Nov 00 15:13:01 EST
Contents:
Re: Isomorphic Elliptic Curves ("Bruce Murray")
RSA funny stuff (Tom St Denis)
Re: Set projection.. (Runu Knips)
Re: Entropy paradox (John Savard)
Re: Set projection.. (Chris Gillespie)
Re: Entropy paradox (John Savard)
Re: Cryptogram Newsletter is off the wall? (Anne & Lynn Wheeler)
Re: Question regarding OS's. (Guy Macon)
Re: Here's one for you CA types (Guy Macon)
Re: Isomorphic Elliptic Curves ("John A. Malley")
Re: Entropy paradox (Mok-Kong Shen)
Re: A Simple Voting Procedure (Darren New)
Re: A Simple Voting Procedure (David Schwartz)
Re: A Simple Voting Procedure (David Schwartz)
Re: A Simple Voting Procedure ("Trevor L. Jackson, III")
Re: A Simple Voting Procedure ("Trevor L. Jackson, III")
Re: How to find celebrity ("Trevor L. Jackson, III")
Re: A Simple Voting Procedure (Darren New)
Re: Entropy paradox ("Trevor L. Jackson, III")
Q: Encryption via modular rests (Mok-Kong Shen)
----------------------------------------------------------------------------
From: "Bruce Murray" <[EMAIL PROTECTED]>
Subject: Re: Isomorphic Elliptic Curves
Date: Fri, 24 Nov 2000 10:45:42 -0000
A simple way to intuitively understand the construction underlying this
isomorphism property is to recognise that two points
(x,y) and (x, p-y) lie on the curve y^2 = (x^3 + ax + b) mod p for a chosen
x iff the RHS forms a quadratic residue mod p.
There is also the special case of a single point, when the RHS = 0 mod p.
The following argument applies in both cases:-
We can define a new curve by multiplying each side of the curve equation by
a non-zero quadratic residue of the form k^6 mod p, whereupon
k^6.y^2 = k^6.(x^3 + ax + b) mod p
and two points (or one in the =0 mod p case) are created on the new curve
for every two (or one resp) on the original one, since the multiplication by
a quadratic residue on each side preserves the original "residue-ness" (QR *
QR = QR, QNR * QR = QNR).
Now write the new curve as
Y^2 = (X^3 + cX + d) mod p where
Y = k^3 . y
X = k^2 . x
c = k^4 . a
d = k^6 . b
and it should be clear that we have constructed a new curve with the same
number of points by virtue of this construction. I would not be confident to
say this is enough in itself to demonstrate isomorphism of the groups of
points on these two curves under the point addition operation (unless the
original group was itself prime order, whereupon the isomorphism is
obvious).
Incidentally, multiplying through by a quadratic non-residue of the form m^3
say, defines a curve which is the "twist" of the original, by "inverting"
the "residue-ness" of the RHS at each x value mod p. This creates two points
where none existed and vice versa, and thus a nice relationship between the
curve orders of the form
#(E) + #(twist(E)) = 2(p+1)
where the point at infinity on each curve is counted within its order.
Bruce Murray
Philips Semiconductors
Southampton UK
John A. Malley <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "J. Rostand" wrote:
> >
> > Two very simple questions:
> >
> > Let E1 and E2 be two elliptic curves over a finite field K (defined as
> > cubic curves in the projective plane).
> >
> > 1) What is the definition of E1 being isomorphic to E2?
> > 2) What is the relation between that isomorphism and the algebraic
> > structures of the underlying groups? For example, are the groups of E1
> > and E2 isomorphic if and only if E1 and E2 are isomorphic?
>
> Two elliptic curves are isomorphic if their group structure is the same.
> This occurs when there is a rational, invertible transformation (x,y)
> |-> (x',y') such that the point (x,y) is on the first curve iff the
> point (x',y') is on the second curve. The two elliptic curves
> E_a,b(F_p) and E_c,d(F_p) are isomorphic over the same ground field F_p
> if and only if c = a*A^4 and b = d*A^6 for some A that's an element of
> F_p.
>
> The notation E_a,b(F_p) means an elliptic curve of the form
>
> y^2 mod p = ( x^3 + ax + b ) mod p.
>
> Got this from Lemma 6.4 of Chapter 6 of Dr. Burton Kaliski, Jr. 's
> Thesis "Elliptic Curves and Cryptography: A Pseudorandom Bit Generator
> and Other Tools", MIT, February 1988. He references a paper by J. Tate,
> "The arithmetic of elliptic curves," Inventiones Mathematicae,
> 23:179-206, 1974.
>
> Furthermore, as I understand it (and I am new to this, still reading Dr.
> Kaliski's thesis with a copy of "Rational Points on Elliptic Curves" by
> Joseph H> Silverman and John Tate on hand, ISBN-0-387-97825-9), two
> elliptic curves E1 and E2 can be isomorphic to an extension of the field
> F_p without being isomorphic to each other over the field F_p.
>
> Hope this helps,
>
>
> John A. Malley
> [EMAIL PROTECTED]
>
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: RSA funny stuff
Date: Fri, 24 Nov 2000 12:16:40 GMT
On http://www.rsasecurity.com/developers/total-solution/faq.html I
found the following question
Q: "With multiple implementations of the RSA algorithm, how can I be
sure I�m purchasing authentic "RSA"?"
A: "For the past decade, RSA Security has worked with more than 800
companies to include the company�s encryption technology in more than a
thousand products and applications. Today, people can look for RSA
Security�s brands and embedded software logos to ensure the products,
applications and services they use include genuine RSA Security
encryption technology. These marks include RSA Secured�, Genuine RSA,
and others."
So all we need is cuter logos, no more crypto!
hehehehe... as if people honestly believe a little logo means it's
secure... hahahaha
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Fri, 24 Nov 2000 14:30:21 +0100
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Set projection..
Jorgen Hedlund wrote:
>
> I'm out on thin ice here, so bear with me. =)
>
> As I've understood it, using public/private key
> ciphering you start up with the unciphered data
> and use the public key with some function to
> project into another set. I.e. projection from
> set A to set B using the public key, where set
> A is unciphered data, and set B is the ciphered
> data.
>
> Now to my problem, is there any easy way to find
> the reverse function (i.e. from set B to set A
> using the private key) once you have the first
> function?
No.
Everyone has your public key.
So if such a reverse function would be easy to find,
everyone could decrypt all messages encrypted with
the public key, which is exactly what should NOT
happen.
The security of the asymmetric ciphers is that it
is hard to compute the private key from the public
key. Finding the reverse function is the same as
finding the private key.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Entropy paradox
Date: Fri, 24 Nov 2000 13:59:42 GMT
On Fri, 24 Nov 2000 09:18:42 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>As I mentioned, we consider a bit that nobody on earch
>can predict to have full entropy. So it is a practical
>issue.
Not in the way you are raising it, though.
The mathematical abstraction of "true randomness" has certain
properties.
Bits generated by BBS or another genuinely cryptosecure PRNG from a
smaller number of bits _definitely_ don't have those properties.
Bits generated from a physical source of randomness may not be able to
be *proved* to have those properties either, but unlike BBS output, we
don't yet *know* how to produce them from a smaller number of bits.
Hence, although a risk is involved, it is reasonable to proceed *as
if* those bits were known to have a certain quantity of entropy, while
we know we may not do so with bits that are deterministically
generated.
For most cryptographic purposes, cryptosecurity is 'just as good' as
true randomness, but not for all of them. The initial seed key has to
have a truly random part big enough to resist brute-force search.
Period.
Even using EKE, for example, doesn't get around this: while the
initial password may be short, the private keys can't be guessable
either: if a short key went into BBS to make the bits from which the
private keys were derived, the use of BBS and the subsequent
processing steps in generating the private keys would be, properly,
considered part of the 'method' for purposes of interpreting the
Kerckhoffs dictum.
The closest thing to being able to dispense with either a hardware
RNG, or the need to type in random characters every time one sends a
message, is the use of methods such as I discuss in my page on "Red
Thread Resistance", where the message itself is used as the source of
randomness.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Date: Fri, 24 Nov 2000 14:45:05 +0000
From: Chris Gillespie <[EMAIL PROTECTED]>
Subject: Re: Set projection..
It is possible to reverse the function, but not in any usable time
frame. For example, I think breaking one RSA encoded message would
require 100 million years if every PC in the world was used in parallel.
This time frame depends entirely on the size of the key being used. The
strength is in the difficulty of factoring a number. If you want more
details, look at a good crypto book. Simon Singhs "The Code Book" is a
good first source.
Chris.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Entropy paradox
Date: Fri, 24 Nov 2000 14:08:12 GMT
On Fri, 24 Nov 2000 09:11:31 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Following this reasoning, one would then get into a
>paradoxical situation.
So what? Of course you will get into paradoxes if you wilfully allow
yourself to engage in unsound reasoning, such as using inexact
definitions of things like entropy.
'Just as good most of the time' is not identical to 'identical'.
Because brute-force search is part of the real world, the difference
between BBS-generated bits and bits generated by imperfect electrical
noise sources does have practical value, even though the latter can't
be proven to correspond exactly to the mathematical abstraction of
true randomness.
Because the latter, not the former, approximate the particular
characteristic of the mathematical abstraction that is crucial for the
particular application. Using mathematical abstractions to design
things for use in the real world always includes a risk, but that risk
is minimized by understanding the chain of inference proceeding from
the abstraction, and the way in which the approximations applied to
the real world will affect the final result.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Subject: Re: Cryptogram Newsletter is off the wall?
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Fri, 24 Nov 2000 16:14:58 GMT
[EMAIL PROTECTED] (Vernon Schryver) writes:
> SYN bombing is an illuminating example. Every busy web server continually
> suffers from orphan TCP SYN's that cannot be distinguished from intentional
> SYN attacks. Every time a random PC is disconnected just after sending
> a SYN to start fetching an HTTP page, the target HTTP server will see a
> TCP/IP packet that cannot be distinguished from a SYN attack. The only
> distinguishing characteristic of a SYN attack is enough orphan SYN's to
> cause problems, and that depends more on the nature of the system under
> "attack" than on other people's intentions, good or otherwise.
some number of the orphan SYNs would would go poof if there was some
way of communicating ICMP not available/reachable up the stack.
--
Anne & Lynn Wheeler | [EMAIL PROTECTED] - http://www.garlic.com/~lynn/
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Question regarding OS's.
Date: 24 Nov 2000 17:33:28 GMT
Juri wrote:
>
>Thanks for pointing somethings out for me, I still prefer
>to use NT4 because of the driver problem for my hardware
>that won't work under NT5.
>
I found that NT4 was less stable than Win 2K unless you install
Internet Explorer 5.5 and NT Service Pack 6A, after which all
the problems go away.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Here's one for you CA types
Date: 24 Nov 2000 17:35:22 GMT
Michael Erskine wrote:
>
>
>"William A. McKee" wrote:
>>
>> It's not ROT13 :)
>
>Thanks, I knew that.
>
It's a program that is used to attack newsgroups by replacing the real
posts with random garbage. See news.admin.net-abuse.usenet for details.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Isomorphic Elliptic Curves
Date: Fri, 24 Nov 2000 09:48:46 -0800
What an excellent explanation of the isomorphism between the two
elliptic curves! Thanks!
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Entropy paradox
Date: Fri, 24 Nov 2000 18:58:24 +0100
Because of wide fan-out, I like again to respond with
a single follow-up.
I have argued to treat the term 'entropy' in a more practice-
oriented sense, since we have no (practical) means to
detect/verify 'perfect' randomness in the rigorous theoretical
sense.
Of course one could argue that the term entropy is 'reserved'
for what is defined in the theory. Let me therefore by-pass
that through (temporary for this thread) introducing a
term, say G, denoting the kind of unit of measure that people
who work on hardware RNG estimate the 'unpredictability' of
the bit sequences they obtained. So I think now that I
wouldn't be considered having misused a standard terminology.
(I change in the following also a few designations.)
Now suppose by some means, e.g. through hardware RNG, I
obtained a bit sequence of h bits that is estimated to
have s G with s approximately equal to h. I use that to
carefully construct a so-called crypto-strong PRNG, e.g.
BBS, and obtain n*h bits. If the theory of that PRNG is
o.k., I should have all these bits 'practically'
unpredictable (even by the currently mightiest opponent).
Now I estimate each of the n portions (of length h) of
the output in units of G. Since the PRNG is uniform,
I'll get on the average t G. So the output has in
total n*t G. Question: Is n*t<=s? Certainly not, for
otherwise the PRNG would have been useless (or even worse)
and nobody would care to use it. Given the good claims in
the literature about the unpredictability of the output
of that PRNG, t must be also approximately equal to h.
Now the question is: Where does the (almost n fold)
amplification in terms of G from s to n*t come from? It
must come from somewhere, isn't it? That's the essence
of the paradox I originally posted.
M. K. Shen
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 18:43:25 GMT
> > Properties under discussion:
> > p1) voter can prove, by himself alone, at his sole option, that
> > his vote is or is not correctly counted
> > p2) voter can be forced to reveal his vote against his will
> >
> The voter is displayed a GUID before he or she votes which he may or
> may not write down. He then casts his vote. Immediately after the
> election, all the GUIDs are released along with which way they voted. At
> the same time the voter votes, he is shown one GUID (that is not his)
> that was cast (by someone else) for each other candidate, which he may
> or may not write down.
>
> Why doesn't this meet 'p1' without providing 'p2'?
I think the question is "the voter can prove". Generally, "prove" requires
an indirect object. It's implicitly taken to be "to anyone" because that is
the point of mathematics and science, where the word "prove" is used most
rigorously.
In what sense could the voter "prove" his vote is or is not counted? He can
tell whether his vote was counted correctly, but he could only "prove" it to
himself. If it's counted incorrectly, how does he convince anyone else of
that?
Now, if you said "the voter can confirm his/her vote was counted correctly"
I would think it's different. In that case, you'd expect a non-political
response (e.g., revolution) to the situation where enough voters thought
their votes were miscounted.
I think the impossibility of P1 & not P2 comes from assuming that "prove"
means you can prove *to a third party* whether your vote was counted
correctly. If you can prove to a third party whether your vote was counted
correctly, and you cannot prove it was counted incorrectly if it was
actually counted correctly, then I think you cannot have P1 without P2.
Otherwise, someone simply puts a gun to your head and says "Do P1".
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Both democracy and capitalism are attempts to make
greed and selfishness work for the greater good.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 11:08:23 -0800
Dan Oetting wrote:
>
> In article <[EMAIL PROTECTED]>, David Schwartz
> <[EMAIL PROTECTED]> wrote:
>
> > Stanley Chow wrote:
> >
> > > Properties under discussion:
> > > p1) voter can prove, by himself alone, at his sole option, that
> > > his vote is or is not correctly counted
> > > p2) voter can be forced to reveal his vote against his will
> > >
> >
> > The voter is displayed a GUID before he or she votes which he may or
> > may not write down. He then casts his vote. Immediately after the
> > election, all the GUIDs are released along with which way they voted. At
> > the same time the voter votes, he is shown one GUID (that is not his)
> > that was cast (by someone else) for each other candidate, which he may
> > or may not write down.
> >
> > Why doesn't this meet 'p1' without providing 'p2'?
>
> If the system is rigged, the alternate GUID's could be selected from a
> small pool known to the atacker.
No system can meet the requirements if it's not implemented according
to its specification.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 11:10:57 -0800
Darren New wrote:
> I think the impossibility of P1 & not P2 comes from assuming that "prove"
> means you can prove *to a third party* whether your vote was counted
> correctly. If you can prove to a third party whether your vote was counted
> correctly, and you cannot prove it was counted incorrectly if it was
> actually counted correctly, then I think you cannot have P1 without P2.
> Otherwise, someone simply puts a gun to your head and says "Do P1".
Actually, this argument is even incorrect. Suppose P1 requires the use
of some code number that was given to me but that I could forget.
Someone can point a gun at my head and demand that I "Do P1", but if I
never recorded my receipt or destroyed it, I still can't do it. Even if
I know a passphrase, nobody can coerce me into decrypting data if I lost
my key.
DS
------------------------------
Date: Fri, 24 Nov 2000 14:32:38 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
I'm certain this is OT, but it has been for a while without serious flammage,
so...
Stanley Chow wrote:
> I am going to make one more try at this.
>
> David Schwartz wrote:
> >
> > Stanley Chow wrote:
> >
> > > Incorrect. It would be a poor design IFF the assumptions were
> > > indeed incorrect. Since most people think this particular
> > > assumption is correct, the design is not poor. One can only
> > > build what one knows how to build; not what one wants.
> >
> > Even if it doesn't result in a poor implementation, the requirements
> > are still worse than they would be if they didn't include the
> > assumption. This holds even if the assumption is correct. The
> > requirements really should include what people actually want out of the
> > system and should not include conclusions about what's possible and what
> > isn't.
>
> Properties under discussion:
> p1) voter can prove, by himself alone, at his sole option, that
> his vote is or is not correctly counted
> p2) voter can be forced to reveal his vote against his will
>
> Desirability:
> The consensus is that p1 is desirable but p2 is not.
>
> Theoretical possiblity:
> There is no known proof whether (p1 & not p2) is possible.
>
> Current knowledge in the public domain:
> There is no known way to achieve (p1 & not p2). There are good
> evidence that it is impossible, but no proof.
Let's take a (simple) look at it. Something like rubber truncheon crypto.
Resolved: That any capability private or unique to the voter can be exposed to
the scrutiny of an oppressor by suitable application of persuasion.
Fundamentally this rests upon the assumption that there is no suitable shield
capable of deflecting the persuasion of an oppressor. The creation of any such
shield would provide the voter with the ability to prove that (s)he voted both
ways, or N+1 ways counting "did not vote". Given the ability to prove that one
voted any way at all allows the honest elections to be "proven" flawed. Thus any
such shield against persuasion is unsuitable for use in elections because it
invalidates the legitimacy of all possible outcomes.
>
>
> Current knowledge in the private/classified domain:
> I have not been shot, so I don't know. May be someone in the
> NSA knows how. May be you are a nice alien trying to nudge us
> further in our technology and/or civilization.
------------------------------
Date: Fri, 24 Nov 2000 14:37:09 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
David Schwartz wrote:
> Stanley Chow wrote:
>
> > Properties under discussion:
> > p1) voter can prove, by himself alone, at his sole option, that
> > his vote is or is not correctly counted
> > p2) voter can be forced to reveal his vote against his will
> >
> > Desirability:
> > The consensus is that p1 is desirable but p2 is not.
> >
> > Theoretical possiblity:
> > There is no known proof whether (p1 & not p2) is possible.
> >
> > Current knowledge in the public domain:
> > There is no known way to achieve (p1 & not p2). There are good
> > evidence that it is impossible, but no proof.
>
> The voter is displayed a GUID before he or she votes which he may or
> may not write down. He then casts his vote. Immediately after the
> election, all the GUIDs are released along with which way they voted. At
> the same time the voter votes, he is shown one GUID (that is not his)
> that was cast (by someone else) for each other candidate, which he may
> or may not write down.
>
> Why doesn't this meet 'p1' without providing 'p2'?
>
> 1) Nobody can establish how the voter voted. This is so because there
> is no way to compel a person to release his or her own GUID that doesn't
> permit him to release one of the other GUIDs he has been shown that
> result in thinking he voted some other way.
>
> 2) A voter can confirm how he voted. He was shown his GUID before he
> cast his vote, so he knows it was his will which determined what that
> GUID was paired to. That GUID either is or is not counted under the
> candidate the voter chose. The voter can establish this because the list
> of GUIDs (and how they voted) is released after the election.
>
> If you think the scheme I suggest cannot be implemented, please suggest
> what the implementation problem is.
If you consider the behavior of a voter whose vote was not counted correctly (the
problem for which this proposal is a purported solution) against the behavior of a
voter who wishes to invalidate the legitimacy of the election would will find them
identical.
That similarity is a Bad Thing.
------------------------------
Date: Fri, 24 Nov 2000 14:43:38 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How to find celebrity
[EMAIL PROTECTED] wrote:
> Among n people, a celebrity is someone who everyone knows but who knows
> no one. To identify the celebrity, if one exists, you are allowed to
> ask questions of any of the n people, but only of the form: "Excuse me,
> do you that person over there?" Assume that all answers are correct.
> Minimize the number of questions you need to ask to determine the
> celebrity, if one exists, or to determine no celebrity exists in a
> given set of n people.
>
> suggestions please
Go back to Florida.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 19:44:45 GMT
David Schwartz wrote:
> Actually, this argument is even incorrect. Suppose P1 requires the use
> of some code number that was given to me but that I could forget.
> Someone can point a gun at my head and demand that I "Do P1", but if I
> never recorded my receipt or destroyed it, I still can't do it.
If you can't prove it to the dictator, then you can't prove it to the judge.
Hence, you lose the "P1 and not P2" quality. Instead, you're supposing
there's a "(P1 and P2) or (not P1 and not P2), at my choice" quality. Now,
that may be sufficient, but that wasn't the requirement stated.
Mr Bond, we're now going to torture you. If you prove you voted for me,
we'll release you. If you prove you voted for my opponent, we'll let you
die. If you can't prove either, we'll just keep torturing.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Both democracy and capitalism are attempts to make
greed and selfishness work for the greater good.
------------------------------
Date: Fri, 24 Nov 2000 14:46:46 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Entropy paradox
Bill Unruh wrote:
> In <[EMAIL PROTECTED]> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>
> >So if BBS generates u bits and I take m bits out of it,
> >how much entropy is in there? Thanks.
>
> Who knows. Zero? m? ...?
> It depends entirely on what BBS is.
Blum, Blum & Shub's PRNG that is provably as hard to analyze as factoring.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: Encryption via modular rests
Date: Fri, 24 Nov 2000 20:45:29 +0100
Probably I have overlooked in reading literatures, but I am
ignorant of effective techniques of attacking encryption
of plaintext through encoding it to the modular rests with
respect to a number of suitably chosen (secret) co-primes,
a scheme which seems to trivially suggest itself from
elementary number theory. (It is assumed that the opponent
has only known-ciphertexts available.)
Thanks for pointers or comments in advance.
M. K. Shen
===================================
http://home.t-online.de/home/mok-kong.shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
